{% extends "./layout.html" %} {% block title %}A3-Cross-Site Scripting (XSS){% endblock %} {% block content %}
<div class="row">
    <div class="col-lg-12">
        <div class="bs-example" style="margin-bottom: 40px;">
            <span class="label label-warning">Exploitability: AVERAGE</span>
            <span class="label label-danger">Prevalence: VERY WIDESPREAD</span>
            <span class="label label-danger">Detectability: EASY</span>
            <span class="label label-warning">Technical Impact: MODERATE</span>
        </div>
    </div>
</div>

<div class="row">
    <div class="col-lg-12">

        <div class="panel panel-info">
            <div class="panel-heading">
                <h3 class="panel-title">Description</h3>
            </div>
            <div class="panel-body">
                XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping.
                XSS allows attackers to execute scripts in the victims' browser, which can access any cookies, session tokens,
                or other sensitive information retained by the browser, or redirect user to malicious sites.
            </div>
        </div>

        <div class="panel panel-info">
            <div class="panel-heading">
                <h3 class="panel-title">Attack Mechanics</h3>
            </div>
            <div class="panel-body">
                <p>
                    There are two types of XSS flaws:
                </p>

                <ol>
                    <li>Reflected XSS: The malicious data is echoed back by the server in an immediate response to an HTTP
                        request from the victim.</li>
                    <li>Stored XSS: The malicious data is stored on the server or on browser (using HTML5 local storage,
                        for example), and later gets embedded in HTML page provided to the victim.</li>
                </ol>

                <p>Each of reflected and stored XSS can occur on the server or on the client (which is also known as DOM
                    based XSS), depending on when the malicious data gets injected in HTML markup.</p>
            </div>
        </div>

        <div class="panel panel-info">
            <div class="panel-heading">
                <h3 class="panel-title">How Do I Prevent It?</h3>
            </div>
            <div class="panel-body">
                <ol>
                    <li>
                        <p><b> Input validation and sanitization:</b> Input validation and data sanitization are the first
                            line of defense against untrusted data. Apply white list validation wherever possible.</p>
                    </li>
                    <li>
                        <p> <b> Output encoding for correct context: </b>When a browser is rendering HTML and any other associated
                            content like CSS, javascript etc., it follows different rendering rules for each context. Hence
                            <i>Context-sensitive output encoding</i> is absolutely critical for mitigating risk of XSS.</p>
                        Here are the details about applying correct encoding in each context:
                        <table class="table table-bordered table-hover">
                            <tbody>
                                <tr>
                                    <th>Context</th>
                                    <th>Code Sample</th>
                                    <th>Encoding Type</th>
                                </tr>
                                <tr>
                                    <td>HTML Entity</td>
                                    <td>&lt;span&gt;
                                        <span style="color:red;">UNTRUSTED DATA</span>&lt;/span&gt;</td>
                                    <td>Convert &amp; to &amp;amp;
                                        <br>Convert &lt; to &amp;lt;
                                        <br>Convert &gt; to &amp;gt;
                                        <br>Convert " to &amp;quot;
                                        <br>Convert ' to &amp;#x27;
                                        <br>Convert / to &amp;#x2F;
                                    </td>
                                </tr>
                                <tr>
                                    <td>HTML Attribute Encoding</td>
                                    <td>&lt;input type="text" name="fname" value="
                                        <span style="color:red;">UNTRUSTED DATA</span>"&gt;</td>
                                    <td>Except for alphanumeric characters, escape all characters with the HTML Entity &amp;#xHH;
                                        format, including spaces. (HH = Hex Value)
                                        <br/>
                                    </td>
                                </tr>
                                <tr>
                                    <td>URI Encoding</td>
                                    <td>&lt;a href="/site/search?value=
                                        <span style="color:red;">UNTRUSTED DATA</span>"&gt;clickme&lt;/a&gt;</td>
                                    <td>Except for alphanumeric characters, escape all characters with ASCII values less
                                        than 256 with the HTML Entity &amp;#xHH; format, including spaces. (HH = Hex Value)
                                        <br/>
                                    </td>
                                </tr>
                                <tr>
                                    <td>JavaScript Encoding</td>
                                    <td>&lt;script&gt;var currentValue='
                                        <span style="color:red;">UNTRUSTED DATA</span>';&lt;/script&gt;
                                        <br>&lt;script&gt;someFunction('
                                        <span style="color:red;">UNTRUSTED DATA</span>');&lt;/script&gt;
                                    </td>
                                    <td>Ensure JavaScript variables are quoted. Except for alphanumeric characters, escape
                                        all characters with ASCII values less than 256 with \uXXXX unicode escaping format
                                        (X = Integer), or in xHH (HH = HEX Value) encoding format.
                                    </td>
                                </tr>
                                <tr>
                                    <td>CSS Encoding</td>
                                    <td>&lt;div style="width:
                                        <span style="color:red;">UNTRUSTED DATA</span>;"&gt;Selection&lt;/div&gt;</td>
                                    <td>Except for alphanumeric characters, escape all characters with ASCII values less
                                        than 256 with the \HH (HH= Hex Value) escaping format.
                                    </td>
                                </tr>
                            </tbody>
                        </table>
                    </li>
                    <li>
                        <p><b>HTTPOnly cookie flag:</b> Preventing all XSS flaws in an application is hard. To help mitigate
                            the impact of an XSS flaw on your site, set the HTTPOnly flag on session cookie and any custom
                            cookies that are not required to be accessed by JavaScript.
                        </p>
                    </li>
                    <li>
                        <p><b>Implement Content Security Policy (CSP):</b> CSP is a browser side mechanism which allows creating
                            whitelists for client side resources used by the web application, e.g. JavaScript, CSS, images,
                            etc. CSP via special HTTP header instructs the browser to only execute or render resources from
                            those sources. For example, the CSP header below allows content only from example site's own
                            domain (mydomain.com) and all its sub domains.
                            <pre>Content-Security-Policy: default-src 'self' *.mydomain.com</pre>

                        </p>
                    </li>
                    <li> <b>Apply encoding on both client and server side: </b> It is essential to apply encoding on both
                        client and server side to mitigate DOM based XSS attack, in which untrusted data never leaves the
                        browser.
                </ol>
                <p>Source: XSS Prevention Cheat Sheet[1]
                </p>
            </div>
        </div>
        <div id="source-code-example" class="panel panel-info">
            <div class="panel-heading">
                <h3 class="panel-title">Source Code Example</h3>
            </div>
            <div class="panel-body">
                <p>
                    The demo web application is vulnerable to stored XSS attack on profiles form. On form submit, the first and last name field
                    values are submitted to the server, and without any validation get saved in database. The values are
                    then sent back to the browser without proper escaping to be shown at the top right menu.
                </p>
                <iframe width="560" height="315" src="//www.youtube.com/embed/KvZ5jdg083M?rel=0" frameborder="0" allowfullscreen></iframe>

                <p>Two measures can be taken to mitigate XSS risk:

                    <ol>
                        <li>In
                            <code>server.js</code>, enable the HTML Encoding using template engine's auto escape flag.
                            <pre>
swig.init({
    root: __dirname + "/app/views",
    autoescape: true //default value
});
                            </pre>
                        </li>
                        <li>
                            Set HTTPOnly flag for session cookie while configuring the express session
                            <pre>
// Enable session management using express middleware
app.use(express.session({
    secret: "s3Cur3",
    cookie: {
        httpOnly: true,
        secure: true
    }
}));
                            </pre>
                        </li>
                    </ol>
                    There were no additional contexts that needed encoding on the demo page; otherwise, it is necessary to encode for correct
                    context depending on where data get placed at.

            </div>
        </div>

        <div class="panel panel-info">
            <div class="panel-heading">
                <h3 class="panel-title">Output Encoding Context</h3>
            </div>
            <div class="panel-body">
                <p>
                    An important observation when handling output encoding to prevent XSS is the notion of context.
                </p>

                <p>
                    When output encoding is performed, it must match the context in which it is being injected to. For example, if a user input
                    is being injected to an HTML element then it will require different encoding semantics to escape malicious
                    input than if it were injected to say an HTML attribute or a JavaScript context altogether (such as in
                    a script tag).
                </p>

                <p>
                    An example for how to take advantage and exploit this mis-understanding exists on the profile page. See code references in
                    <code>profile.js</code> and <code>profile.html</code>
                </p>
            </div>
        </div>

        <div class="panel panel-info">
            <div class="panel-heading">
                <h3 class="panel-title">Further Reading</h3>
            </div>
            <div class="panel-body">
                <ol>
                    <li>
                        <a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">XSS Prevention
                            Cheat Sheet</a>
                    </li>
                    <li>
                        <a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting#Server_XS">Types of Cross-Site
                            Scripting
                        </a>
                    </li>
                    <li>
                        <a href="https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_sheet ">XSS Filter
                            Evasion Cheat Sheet</a>
                    </li>
                    <li>
                        <a href="https://www.owasp.org/images/c/c5/Unraveling_some_Mysteries_around_DOM-based_XSS.pdf ">Unraveling
                            some of the Mysteries around DOM-based XSS</a>
                    </li>
                </ol>
            </div>
        </div>

    </div>
</div>
{% endblock %}